b'                                                           IG-00-055\n\n\n\n\nAUDIT\n                           SYSTEM INFORMATION TECHNOLOGY SECURITY\nREPORT                                    PLANNING\n\n                                      September 28, 2000\n\n\n\n\n                            OFFICE OF INSPECTOR GENERAL\n\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\n\nTo obtain additional copies of this report, contact the Assistant Inspector General for Auditing at\n(202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n        Assistant Inspector General for Auditing\n        Code W\n        NASA Headquarters\n        Washington, DC 20546-0001\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement contact the NASA Hotline at (800) 424-9183,\n(800) 535-8134 (TDD), or at www.hq.nasa.gov/office/oig/hq/hotline.html#form; or write to the\nNASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station, Washington, DC 20026.\nThe identity of each writer and caller can be kept confidential, upon request, to the extent\npermitted by law.\n\nReader Survey\n\nPlease complete the reader survey at the end of this report or at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html.\n\n\n\n\nAcronyms\n\nID                  Identification\nIT                  Information Technology\nGAO                 General Accounting Office\nJPL                 Jet Propulsion Laboratory\nNIST                National Institute of Standards and Technology\nNPG                 NASA Procedures and Guidelines\nOMB                 Office of Management and Budget\nOPM                 Office of Personnel Management\nSMA                 Special Management Attention\n\x0cW                                                                                           September 28, 2000\n\n\nTO:             A/Administrator\n\nFROM:           WInspector General\n\nSUBJECT: INFORMATION: System Information Technology Security Planning\n          Report Number IG-00-055\n\n\nThe NASA Office of Inspector General has completed an audit of System Information\nTechnology Security Planning. We found that NASA has not adequately complied with the\nComputer Security Act of 1987 and Office of Management and Budget (OMB) Circular A-\n130, "Management of Federal Information Resources," dated February 8, 1996. NASA\nmanagers did not assign sufficient priority to information technology (IT) security. NASA\nHeadquarters and the Centers had no IT security plans for 17 of 38 special management\nattention1 (SMA) systems and for 13 of 30 publicly accessible Web site2 host computers in our\nsamples. The Jet Propulsion Laboratory (JPL) has no IT security plans for its IT systems. In\naddition, there are no security plans, contingency plans, or risk assessments for five elements of\na major information system.3 Initial and periodic personnel screening requirements in Agency\npolicy do not comply with OMB Circular A-130 requirements. Therefore, NASA\'s IT systems\nare at increased risk and the effectiveness of NASA\'s IT security program is degraded. The\nCenters and JPL are working to meet the NASA Chief Information Officer\'s goal of completing\nIT security plans for all SMA systems by September 30, 2000. We consider the\nnoncompliance with the Computer Security Act and OMB Circular A-130 to be a potential\nmaterial management control weakness reportable in accordance with OMB Circular A-123,\n"Management Accountability and Control," and NASA Policy Directive 1200.1A, "Internal\nManagement Controls, Audit Liaison, and Followup."\n\n\n\n1\n  "Special management attention" is a NASA term for information systems that are considered to be the most important\nto NASA in accomplishing its mission. Increased oversight of these IT systems is required due to the risk and\nmagnitude of harm that would result from the loss, misuse, unauthorized access to, or modification of the data in a\nsystem.\n2\n  A publicly accessible Web site is one designed to be viewed by the general public. These Web sites are advertised to\nthe public such as, www.nasa.gov, or contain links to other NASA public Web sites.\n3\n  The system will not be identified in the report due to the sensitivity of this information. However, we have advised\nNASA officials of the identity of the system so that they may take appropriate corrective action.\n\x0c                                                                                                                     2\n\n\nBackground\n\nNASA is dependent on IT for all its missions and support activities. The integrity, availability,\nand confidentiality of NASA\'s electronic information are critically important unless its computing\nenvironment is secure. IT security plans report the outcome of the IT security planning process,\nprovide essential information about the system, describe the associated risks, and the security\ncontrols that have been implemented. NASA managers must authorize the use of each IT\nsystem based on the implementation of its security plan before the system is placed in service,\nwhen significant changes are made, and when 3 years have expired since the last authorization.\n\nRecommendations\n\nWe recommended that the NASA Chief Information Officer create an inventory containing the\nstatus of IT security plans and authorizations to use the systems and require quarterly updates.\nThis inventory will provide senior NASA management more visibility of the status of IT security\nplans and authorizations to use the systems. NASA managers used a similar inventory during the\nYear 2000 date conversion problem. We also recommended that Associate Administrators\nand Center Directors report the Federal noncompliance conditions to the Agency\'s Internal\nControl Council4 as significant areas of concern. Agency managers and employees should\nidentify and report deficiencies that are or should be of interest to the next level of management.\nWe recommended that the Director, Goddard Space Flight Center expedite the development\nand implementation of IT security plans for one of NASA\'s major IT systems. IT security plans\nare the equivalent of Program and Project Plans. Not having a plan significantly increases the\npossibility that IT security risks have not been identified, adequate protective measures have not\nbeen implemented, and NASA managers are unaware of the risks associated with operating the\nsystem. Finally, we recommended that the NASA Chief Information Officer expand policy\nrequirements for personnel screenings to comply with OMB Circular A-130. Initial and\nperiodic screening of individuals supplements technical, operational, and management controls,\nparticularly where the risk and magnitude of harm is high.\n\nManagement Response and OIG Evaluation\n\nManagement concurred with 7 of the 10 recommendations. Management partially concurred\nwith recommendations to report the Federal noncompliance conditions at JPL, Langley\nResearch Center (Langley), and NASA Headquarters to the Agency\'s Internal Control Council\nas significant areas of concern. Management stated that Langley and NASA Headquarters are\nscheduled to have fully compliant IT security plans for all SMA systems by September 30,\n2000. With the completion of these plans, there is no need to report noncompliance conditions\nas a significant area of concern. We agree that there is no need to report the noncompliance\n\n4\n  The Internal Control Council makes recommendations to the NASA Administrator on issues for NASA\'s annual\nstatement of assurance to the President and Congress, pursuant to the Federal Managers\' Financial Integrity Act and for\nincorporation into NASA\'s annual Accountability Report.\n\x0c                                                                                             3\n\n\nconditions as a significant area of concern, if the noncompliance conditions are corrected by\nSeptember 30, 2000. However, we have no assurance that Langley and NASA Headquarters\nwill meet the schedules. We have requested that management provide additional information on\nthe completion of SMA system IT security plans at the two locations. In addition, management\nstated that the condition of IT security plans at JPL is a contractual issue and not a Federal\nManagers\' Financial Integrity Act issue. We agree that JPL does not participate in the Agency\'s\ninternal control process; however, the NASA officials who manage the programs that JPL\nconducts do participate. JPL manages a significant amount of IT resources that are essential to\nthe conduct of Agency programs. NASA managers are ultimately responsible for the security\nof NASA\'s IT resources. We have asked that management reconsider its position on the\nreporting of significant areas of management concern related to functions performed by\ncontractors.\n\n\n[original signed by]\nRoberta L. Gross\n\nEnclosure\nFinal Report on Audit of System Information Technology Security Planning\n\x0c             FINAL REPORT\nSYSTEM INFORMATION TECHNOLOGY SECURITY\n               PLANNING\n\x0cW                                                                          September 28, 2000\n\n\nTO:              AO/Chief Information Officer\n\nFROM:            W/Assistant Inspector General for Auditing\n\nSUBJECT:         Final Report on the Audit of System Information Technology Security\n                 Planning\n                 Assignment Number A0003700\n                 Report Number IG-00-055\n\n\nThe subject final report is provided for your information and use. Please refer to the Executive\nSummary for the overall audit results. Our evaluation of your responses has been incorporated\ninto the body of the report. The corrective actions taken or planned for recommendations 1, 2,\n5, 6, 7, 9, and 10 are responsive. The corrective actions planned for recommendations 3, 4\nand 8 are not responsive because additional information is needed for us to determine whether\nmanagement has corrected the Federal noncompliance conditions related to the\nrecommendations. In addition, we request that management reconsider its position on\nrecommendation 4 concerning reporting of significant areas of management concern. Your\nactions are sufficient to close recommendations 2, 5, and 6 for reporting purposes. We request\nadditional information as described in the report for recommendations 1, 3, 4, and 8 by\nNovember 27, 2000. Recommendations 1, 7, 9, 10 will remain open for reporting purposes\nuntil agreed-to corrective actions are completed. For corrective actions that are incomplete,\nplease notify us when action has been taken, including the extent of testing performed to ensure\ncorrective actions are effective.\n\nIf you have questions concerning the report, please contact Mr. Gregory B. Melson, Program\nDirector, Information Assurance Audits, at (202) 358-2588, or Mr James W. Geith, Auditor-\nin-Charge, at (301) 286-7943. We appreciate the courtesies extended to the audit staff. The\nfinal report distribution is in Appendix E.\n\n[Original signed by]\n\nRussell A. Rau\n\x0c                                                                 2\n\nEnclosure\n\ncc:\nB/Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nH/Associate Administrator for Procurement\nM/Associate Administrator for Space Flight\nR/Associate Administrator for Aerospace Technology\nS/Associate Administrator for Space Science\nY/Associate Administrator for Earth Science\nJM/Acting Director, Management Assessment Division\nGRC/3-2/Director, John H. Glenn Research Center at Lewis Field\nGSFC/100/Director, Goddard Space Flight Center\nJPL/1000/Director, Jet Propulsion Laboratory\nLaRC/106/Director, Langley Research Center\n\x0cContents\n\nExecutive Summary, i\n\nIntroduction, 1\n\nFindings and Recommendations , 2\n\n     Finding A. System Security Controls, 2\n\n     Finding B. Personnel Screening, 11\n\nAppendix A - Objectives, Scope and Methodology, 13\n\nAppendix B - Federal Guidance on Information Technology Security,\n17\n\nAppendix C - Material Control Weakness, 21\n\nAppendix D - Management\'s Response, 22\n\nAppendix E - Report Distribution, 26\n\x0c                                  NASA Office of Inspector General\n\nIG-00-055                                                                                  September 28, 2000\n A0003700\n                                    System Information Technology\n                                          Security Planning\n\n                                              Executive Summary\n\nBackground. Successful accomplishment of NASA\'s mission depends heavily on automated\ninformation resources. As technology evolves, these resources face increasing vulnerability to\nexternal and internal attack. Our risk-based analysis of various Federal IT security requirements\nindicated that NASA\'s IT security planning was the most fundamental and highest risk area for which\nadditional NASA Office of Inspector General review was warranted. Specifically, we determined\nthat a review of strategic and system information security planning, including the adequacy of existing\npolicy and implementation, should be the first step in assessing NASA-wide information security\nactivities.5\n\nObjectives. The overall objective was to determine whether NASA had established and\nimplemented effective security plans for general support systems6 and major applications,7 including\npublicly accessible Web sites. We reviewed a sample of 38 IT security plans for SMA IT systems\nand a sample of 30 plans for computers that host publicly accessible Web sites8 at eight NASA\n\n\n5\n  The General Accounting Office (GAO) stated in its Report Number GAO/AIMD-98-68, "GAO Executive Guide,\nInformation Security Management, Learning from Leading Organizations," May 1998:\n\n                    The single most important factor in prompting the establishment of an effective\n                    security program was a general recognition and understanding among the\n                    organization\'s most senior executives of the enormous risks to business operations\n                    associated with relying on automated and highly interconnected systems. However,\n                    risk assessments of individual business applications provided the basis for\n                    establishing policies and selecting related controls. Steps were then taken to increase\n                    the awareness of users concerning these risks and related policies. The effectiveness\n                    of controls and awareness activities was then monitored through various analyses,\n                    evaluations, and audits, and the results provided input to subsequent risk\n                    assessments, which determined if existing policies and controls needed to be modified.\n\n6\n  OMB Circular A-130 defines a general support system as "an interconnected set of information resources under the same\ndirect management control which shares common functionality. A system normally includes hardware, software, information,\ndata, applications, communications, and people."\n7\n  OMB Circular A-130 defines a major application as "an application that requires special attention to security due to the risk\nand magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the\napplication."\n8\n  We identified a universe of 177 security plans for SMA IT systems and a universe of 195 security plans for Web site host\ncomputers.\n\x0cinstallations.9 We compared the contents of the security plans with the requirements for security\nplans in OMB Circular A-130 and NASA Procedures and Guidelines (NPG) 2810.1, "Security of\nInformation Technology," dated August 26, 1999. Details on our objectives, scope, and\nmethodology are in Appendix A.\n\nResults of Audit. NASA has not adequately complied with the Computer Security Act of 1987\nand OMB Circular A-130.\n\n\xe2\x80\xa2   NASA Headquarters and the Centers had no IT security plans for 17 of 38 SMA systems and\n    for 13 of 30 Web site host computers in our samples. JPL has no IT security plans for its IT\n    systems. None of the IT security plans in either sample fully complies with OMB Circular A-\n    130. In addition, there are no security plans, contingency plans, or risk assessments for five\n    major elements of a major information system. The lack of adequate IT security plans\n    significantly reduces the effectiveness of the IT security programs for those systems. The\n    Centers and JPL intend to complete the IT security plans for SMA systems by September 30,\n    2000 (Finding A).\n\n\xe2\x80\xa2   Initial and periodic personnel screening requirements in NPG 2810.1 do not comply with OMB\n    Circular A-130 requirements. The NPG lacks requirements for periodic screening of individuals\n    authorized to bypass system security controls. In addition, the NPG lacks a requirement to use\n    initial and periodic personnel screening as a control when applications or the information in an\n    application cannot be adequately protected because line managers do not use other controls\n    such as individual accountability or when the controls do not provide sufficient protection.\n    Inadequate personnel screening combined with the use of group user ID\'s increased the security\n    risks for IT systems (Finding B).\n\nWe consider the Agency noncompliance with the Computer Security Act and OMB Circular A-130\nto be a potential material control weakness reportable in accordance with OMB\nCircular A-123, "Management Accountability and Control," June 21, 1995, and NASA Policy\nDirective 1200.1A, "Internal Management Controls, Audit Liaison, and Followup," dated June 1,\n2000 (see Appendix C for a detailed discussion).\n\nRecommendations. We recommended that NASA management establish an inventory of IT\nsystems and IT security plans to manage the development and implementation of IT system security\nprograms, develop and implement IT security plans for some elements of a major IT system, and\nrevise Agency IT security policy on personnel screening requirements. Also,\nAssociate Administrators and Center Directors should report to the Agency\'s Internal Control\nCouncil the Federal noncompliance conditions as significant areas of concern to be included in\nNASA\'s annual Federal Managers\' Financial Integrity Act statement of assurance.\n\n9\n We reviewed security plans at NASA Headquarters, Ames Research Center (Ames), John H. Glenn Research Center at\nLewis Field (Glenn), Goddard Space Flight Center (Goddard), John F. Kennedy Space Center (Kennedy), Lyndon B. Johnson\nSpace Center (Johnson), Langley, and George C. Marshall Space Flight Center (Marshall).\n\n\n\n\n                                                         ii\n\x0cManagement\'s Response. Management concurred with the recommendations to establish an\ninventory of IT systems and IT security plans, to develop and implement IT security plans for some\nelements of a major IT system, and to revise Agency IT security policy on personnel screening\nrequirements. The Director, Glenn Research Center at Lewis Field and the Director, Goddard\nSpace Flight Center concurred with the recommendations to report their respective Center\'s Federal\nnoncompliance conditions as a significant area of concern to the Agency\'s Internal Control Council.\nThe Associate Administrator for Headquarters Operations, the Associate Administrator for Space\nScience, and the Director, Langley Research Center partially concurred with these\nrecommendations. Langley and NASA Headquarters have scheduled completion all of their SMA\nsystem IT security plans by September 30, 2000. Management stated that if all the plans are\ncompleted, the noncompliances would no longer exist, and there would be nothing to report. In\naddition, the Associate Administrator for Space Science did not agree on the applicability of OMB\nCircular A-123 reporting requirements to JPL\'s operations.\n\nEvaluation of Management\'s Response. Management\'s planned or completed actions on the\nrecommendations to establish an inventory of IT systems and IT security plans, to develop and\nimplement IT security plans for some elements of a major IT system, and to revise Agency IT\nsecurity policy on personnel screening requirements are responsive. The Center Directors\' reporting\nof their Center\'s Federal noncompliance conditions as a significant area of concern was also\nresponsive. The responses by the Associate Administrator for Headquarters Operations, and the\nDirector, Langley Research Center are not fully responsive without evidence that shows the\nsignificant noncompliance conditions we found no longer exist. The Associate Administrator for\nSpace Science\'s position on reporting management concerns related to JPL\'s operations is\nnonresponsive because NASA managers are ultimately responsible. We request that we be notified\nwhen the SMA system IT security plans for the IT systems at Langley and NASA Headquarters are\ncompleted so that we can review them. We also request that the Associate Administrator for Space\nScience reconsider his position on reporting JPL\'s Federal noncompliance conditions as a significant\narea of concern to the Internal Control Council.\n\n\n\n\n                                                 iii\n\x0cIntroduction\n\nThe current NASA Strategic Plan states that one of NASA\'s objectives is to:\n\n                Ensure information technology provides an open and secure exchange of information,\n                is consistent with Agency technical architectures and standards, demonstrates a\n                projected return on investment, reduces risk, and directly contributes to mission\n                success.\n\n\nTo achieve the objective of security in computing, NASA must ensure that the following three\ncomputer security characteristics are maintained:\n\n                a.   Integrity--The ability to ensure that information, the applications processing\n                     that information, the information technology systems used to run that\n                     information, and the hardware configuration, connectivity, and the status of\n                     privilege settings cannot be altered during processing, storage or transmission.\n\n                b.   Availability--The ability to ensure that data, applications, and systems are\n                     accessible when and where needed.\n\n                c.   Confidentiality--The ability to ensure that information is disclosed only to those\n                     who have a valid need to possess it.\n\n\nA secure computing environment is based on managing the risks to an appropriate level. The\nsecurity controls applied to a computer system should be commensurate with the magnitude of harm\nthat would result from the loss, misuse, inability to access, unauthorized access to, or modification of\nthe information in the system. An IT security plan reports the outcome of the IT security planning\nprocess. An IT security plan provides key information about the system and describes the\nassociated risks and the security controls that have been implemented. The IT security plan is the\nsource document that describes how the security controls for a particular system function.\n\nThe NASA Administrator recently emphasized the importance of IT security planning in his Safety\nand Health Message, titled "NASA Security: Classified Information, Information Technology, and\nInternational Technology Transfer/Export Controls," dated June 19, 2000. The Administrator stated:\n\n                Every NASA information technology system must have a security plan that included\n                risk assessment and implementation of appropriate safeguards. These plans must be\n                signed by the project or program manager to attest that the system is ready to\n                operate.\n\x0cFindings and Recommendations\n\nFinding A. System Security Controls\n\nNASA managers have not developed and implemented IT security plans for many of the Agency\'s\nSMA IT systems and computers that host publicly accessible Web sites. In addition, many of the\nexisting IT security plans are inadequate, and several of NASA\'s SMA IT systems and Web site\nhost computers are operating without the required authorizations. These conditions exist because\nNASA managers have not complied with Federal policy and have given IT security a low priority.\nConsequently, the security risks have increased for many SMA IT systems and other IT resources\nand the effectiveness of NASA\'s IT security program has been reduced. We consider the\nnoncompliance with the Computer Security Act and OMB Circular A-130 to be a potential material\nweakness reportable to the Agency\'s Internal Control Council.\n\nFederal Policies on Information Technology Security Planning\n\n"The Computer Security Act of 1987," Public Law 100-235, requires agencies to establish a\nsecurity plan for each Federal computer system.\n\nOMB Circular A-130, Appendix III, requires that agencies implement and maintain a program to\nassure that adequate security is provided for all agency information collected, processed, transmitted,\nstored, or disseminated in IT systems. The Circular identifies four controls that are required for each\nIT system. Agency managers must:\n\n\xe2\x80\xa2   Assign responsibility for the security of each system to an individual knowledgeable in the\n    information technology used in the system and in providing security for such technology.\n\n\xe2\x80\xa2   Plan for adequate security of each general support system and major application. Each security\n    plan must contain the information required by the Circular.\n\n\xe2\x80\xa2   Review the security controls in each system when significant modifications are made to the\n    system or when 3 years have elapsed since the last review.\n\n\xe2\x80\xa2   Authorize in writing the use of each system based on the implementation of its security plan\n    before beginning or significantly changing processing in the system. Authorizations to process\n    must be renewed at least every 3 years.\n\nThe Circular also requires that IT security plans establish system requirements for a number of\ncontrols for general support systems, including:\n\n\xe2\x80\xa2   Rules of the System. The plan must establish a set of rules of behavior concerning use of,\n    security in, and the acceptable level of risk for, the system. The rules must clearly describe the\n    consequences of behavior not consistent with the rules.\n\n                                                   2\n\x0c\xe2\x80\xa2   Training. The plan must describe how all individuals will be trained in how to fulfill their security\n    responsibilities before allowing them access to the system. Behavior consistent with the rules of\n    the system and periodic refresher training must be required for continued access to the system.\n\n\xe2\x80\xa2   Personnel Controls. The plan must require screening of individuals who are authorized to bypass\n    significant system technical and operational security controls of the system commensurate with\n    the risk and magnitude of harm these individuals could cause. Such screening shall occur before\n    an individual is authorized to bypass controls and periodically thereafter.\n\n\xe2\x80\xa2   Incident Response Capability. The plan must describe the capability to provide help to users\n    when a security incident occurs in the system and to share information concerning common\n    vulnerabilities and threats. This capability shall share information with other organizations,\n    consistent with National Institute of Standards and Technology (NIST) coordination, and should\n    assist the agency in pursuing appropriate legal action, consistent with Department of Justice\n    guidance.\n\n\xe2\x80\xa2   Continuity of Support. The plan must establish the capability to continue providing service within\n    a system based upon the needs and priorities of the participants of the system. The plan must\n    include requirements for periodically testing the capability.\n\n\xe2\x80\xa2   Technical Security. The plan must describe how cost-effective security products and techniques\n    are appropriately used within the system.\n\n\xe2\x80\xa2   System Interconnection. The plan must include the requirement to obtain written management\n    authorization, based upon the acceptance of risk to the system, before connecting with other\n    systems.\n\nCircular A-130 establishes similar requirements for security plans for major applications. (Appendix\nB contains the detailed requirements.)\n\nNASA Policies on Information Technology Security Planning\n\nNPG 2810.1 implements the Computer Security Act and Circular A-130 requirements. The\nCircular requires only that a responsible manager sign the authorization to use the system. The NPG\nadds a requirement that the Center Chief Information Officer also sign the authorization to use for\nSMA systems.\n\nInformation Technology Security Plans\n\nWe used a combination of random and judgmental sampling to select a sample of IT security plans\nfor 38 SMA systems and 30 Web site host computers at 8 NASA Centers. There were no IT\nsecurity plans for 17 of the SMA systems and for 13 of the Web site host computers. At Glenn,\nNASA Headquarters, and Langley, none of the sampled SMA IT systems had a security plan. Only\n                                                    3\n\x0cone of the five Web site host computers in the Glenn sample had a security plan. The sampled Web\nsite host computers at NASA Headquarters and Langley had no IT security plans. We did not\nreview a sample of IT security plans at JPL because we determined during our initial data gathering\nthat JPL had no security plans for any of its IT systems.\n\nMajor System IT Security Planning. One of NASA\'s five major IT investments is a system that\nis composed of 14 elements. We included the system in the group of systems that had security plans\nbecause we reviewed a security plan for one of the elements. However, there were no security\nplans, contingency plans, or current risk assessments for five of the major elements as required by\nthe system\'s "Security Policy and Guidelines," dated October 1997.\n\nCompliance with Federal and Agency Policy\n\nIT Security Plan Compliance with OMB Circular A-130. Deficiencies existed in IT security\nplans because line managers either did not establish required security controls or did not document\nthe security controls in the plans. None of the 21 existing SMA system IT security plans and none of\nthe 17 existing IT security plans for the Web site host computers fully complied with Circular A-130\nrequirements. While some plans lacked information in one or two areas, most of the plans lacked\ninformation for several of the controls required by the Circular. Common problems involved the lack\nof information on system rules of behavior, initial and periodic training, personnel controls, identifying\nand reporting security incidents, continuity of service, technical security, and system interconnection\n(see Appendix B). Some of this information existed in other documents that were not referenced in\nthe security plans. For example, many systems had system rules of behavior, contingency plans, and\nprocedures for identifying and reporting security incidents in various documents that are not part of\nthe security plan.\n\nIT Security Plan Compliance with NPG 2810.1. Only 9 of the 21 existing SMA system IT\nsecurity plans and 9 of the 17 existing IT security plans for Web site host computers have been\nupdated based on the requirements of NPG 2810.1. None of the plans contained all the information\nrequired by the NPG. While the deficiencies varied from plan to plan, many plans lacked\ninformation on rules of the system or application, contingency planning, training, and procedures for\nreviewing security controls. Civil service and contractor personnel who rewrote the security plans\nusing NPG 2810.1 criteria did not include all the required information. In addition, NASA\nmanagement approved the plans but did not determine that required information was missing.\n\nAuthorizations to Process\n\nNASA managers had authorized only 12 of the 38 SMA systems and 16 of the 30 Web site host\ncomputers in the sample to operate. The authorizations for one SMA system and one Web site host\ncomputer had expired. Although there were no security plans, the NASA managers responsible for\nthree of the elements of a major IT system signed authorizations to process. Center Chief\nInformation Officers had not signed 11 of the authorizations to process that were prepared after\nNPG 2810.1 became effective.\n\n\n                                                    4\n\x0cThe General Accounting Office (GAO) reported the failure of NASA managers to complete\nrequired authorizations for IT systems in its audit report titled, "Information Security, Many NASA\nMission-Critical Systems Face Serious Risks," Report Number GAO/AIMD-99-47, May 1999.\nThe GAO report states that NASA managers had not authorized the use of 133 of the 155 systems\nin the GAO sample. NASA concurred with the GAO recommendation to implement an effective IT\nsecurity program that includes formally authorizing the use of all systems before they become\noperational and at least every 3 years thereafter. NASA management included the requirement in\nNPG 2810, which was issued August 26, 1999.\n\nPriority of Information Security\n\nThe absence and inadequacy of security plans and lack of authorizations to process resulted from the\nlow priority that NASA managers consistently gave to IT security and compliance with the\nComputer Security Act, OMB Circular A-130, and NPG 2810.1. In addition, many IT security\nplans do not comply with Circular A-130 because Center and Program managers continued to use\nthe outdated guidance in NASA Handbook 2401.9A, "NASA Automated Information Security,"\ndated June 1993, to manage their IT security programs until NPG 2810.1 was issued. The NASA\nHandbook required security plans for each IT system and that NASA managers authorize the use of\nthe system at least every 3 years or more often if major changes were made to the system. The\nNASA Handbook did not require that the security plans contain some of the information required by\nOMB Circular A-130. Security plans that were rewritten using the NPG 2810.1 requirements\nlacked information required by OMB Circular A-130 because the NPG initial and periodic\npersonnel screening requirements for IT security plans do not comply with OMB Circular A-130\n(see Finding B).\n\nThe lack of IT security plans for the major IT system elements can also be attributed to the low\npriority the Project Office gave IT security. The Project Office planned to have the development\ncontractor prepare the plans and risk assessments, but the requirement was not included in the\ncontract because of problems in the development of the system. Extensive modifications to the\nplanned system were needed. NASA managers directed the contractor to concentrate its efforts on\nthe modification of the system.\n\nManagement Controls\n\nInformation technology security policies and plans are part of the management controls for IT\nresources. If an agency has no security plan or required authorization to process for a system, OMB\nCircular A-130 requires that the agency consider identifying a deficiency pursuant to OMB Circular\nA-123 and the Federal Managers\' Financial Integrity Act. Additionally, NASA Policy Directive\n1200.1A, "Internal Management Controls and Audit Liaison and Followup," requires managers to\nidentify and recommend significant areas of concern that may be the result of weak, inadequate, or\nunenforced management controls. The management control officer will determine whether significant\nareas of concern are reported. The widespread noncompliance with the Computer Security Act,\nOMB Circular A-130, and NPG 2810.1 reported in this report and GAO Report Number\nGAO/AIMD-99-47 indicates that many of NASA\'s management controls related to IT security are\n                                                 5\n\x0cinadequate and unenforced. Yet, only the Director, Goddard Space Flight Center, identified IT\nsecurity as a significant weakness and concern during fiscal year 1999. (See Appendix C for a\ndetailed discussion on the procedures for reporting significant areas of concern.)\n\nEffect on NASA\'s IT Security Program\n\nThe absence and inadequacy of security plans for many IT systems and the lack of authorizations to\nprocess significantly degrade the security of the SMA systems and Web site host computers. The\neffectiveness of the NASA IT security program has been significantly reduced.\n\nManagement Actions\n\nNASA management increased emphasis on IT security in 1998. NASA management was aware of\nnoncompliances with Federal and Agency IT security policy, procedures, and guidelines. The\nNASA Chief Information Officer established a goal of completing IT security plans for all SMA\nsystems by September 30, 2000. In response, Glenn, Headquarters, JPL, Langley, and most of the\nother Centers are developing or revising IT security plans using the NPG 2810.1 guidelines and\nintend to complete the security plans for SMA systems by September 30, 2000. However, the\nAgency has not modified many IT services contracts to require compliance with the NPG. For\nexample, Johnson has not modified Consolidated Space Operations Contract NAS9-98100 to\nrequire preparation of information security plans that comply with the NPG. This contract supports\nthe IT resources that support space operations at Goddard, JPL, Johnson, Kennedy, and Marshall.\nIn addition, Goddard intends to update its plans as they come up for the 3-year review. On July 14,\n2000, the NASA Office of Procurement issued Procurement Information Circular 00-12. This\nProcurement Information Circular establishes standard contractual requirements for safeguarding the\nintegrity of unclassified NASA information technology systems. The Circular requires that\ncontracting officers add a revised NASA Federal Acquisition Regulation Supplement clause to all\nexisting solicitations and contracts by December 31, 2000, where appropriate. The clause requires\nthat NASA contractors and subcontractors comply with the security requirements outlined in NASA\nPolicy Directive 2810.1, "Security of Information Technology," dated October 1, 1998, and NPG\n2810.1 and with additional safeguarding requirements in the contract clause.\n\nGlenn expects to complete 25 percent of its Web site IT security plans by October 2000. While\nJPL has not established specific completion dates for its Web site IT security plans, JPL\nmanagement estimates it will complete all of its IT security plans by September 30, 2001.\nHeadquarters expects to complete all of its Web site IT security plans by April 30, 2001. As a\nresult, some Web site IT security plans may not comply with OMB Circular A-130 until 2002 or\nlater.\n\n\n\n\n                                                6\n\x0cModel of Meeting Year 2000 Date Conversion Problem to Develop and Implement\nSecurity Plans\n\nWhen NASA faced the Year 2000 date conversion problem, the NASA Chief Information Officer\ncreated an Agency-wide inventory of IT systems. The inventory indicated whether the system was\nYear 2000 compliant and showed schedule information for the actions being taken to make\nnoncompliant systems compliant. The NASA Centers submitted quarterly reports that identified\ntheir progress in fixing the noncompliant systems. This process proved to be effective for managing\nthe Year 2000 date conversion problem and could be equally effective for managing the\ndevelopment and implementation of IT security plans. Note, however, there is not a one-to-one\ncorrelation between the number of IT systems and the number of security plans that are required.\nFor some systems, NASA management has chosen to develop separate security programs for each\nmajor element or component of the system. This separation of security responsibility would make it\nnecessary for the inventory to identify the status of the security plans and authorizations to process\nfor each element.\n\nRecommendations, Management\'s Response, and Evaluation of Response\n\nThe NASA Chief Information Officer should:\n\n    1. Create of an inventory of every NASA IT system and the status of the supporting IT\nsecurity plans and required authorizations to process. The inventory should identify those\nsystems for which NASA management will have separate security plans for each major\nelement or component of the IT system.\n\nManagement\'s Response. Concur. The Chief Information Officer\'s staff will maintain an SMA\nsystems inventory from data the Centers provide. The Centers will maintain inventories of other IT\nsystems. The Agency Chief Information Officer\'s staff will be able to access the inventories.\n\nEvaluation of Management\'s Response. Management\'s proposed actions are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open until\nagreed-to corrective actions are completed. We request that management provide a schedule for\nestablishing the inventories.\n\n    2. Require the Centers and the Jet Propulsion Laboratory to submit quarterly status\nreports until there is a current security plan and authorization to process for each IT\nsystem or system element.\n\nManagement\'s Response. Concur. The Chief Information Officer requires a quarterly status\nreport on priority systems. The Chief Information Officer determines each year what the priority\nsystems will be. For FY 2000, the Chief Information Officer defined the priority systems as SMA\nsystems.\n\n\n\n                                                  7\n\x0cEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved and dispositioned.\n\n3. The Associate Administrator for Headquarters Operations should report to the\nAgency\'s Internal Control Council the Headquarters\' Federal noncompliance conditions as\na significant area of concern to be included in NASA\'s annual Federal Managers\' Financial\nIntegrity Act statement of assurance.\n\nManagement\'s Response. Partially concur. NASA Headquarters has developed a schedule to\ncorrect the deficiencies that were noted at the time of the audit. All SMA systems are scheduled to\nhave fully compliant IT security plans with Chief Information Officer approval by September 30,\n2000. All Headquarters general support systems will have IT security plans by April 30, 2001.\nWith the completion of these plans, there is no need to report noncompliance conditions as a\nsignificant area of concern to be included in NASA\'s annual Federal Managers\' Financial Integrity\nAct statement of assurance.\n\nEvaluation of Management\'s Response. Management is not fully responsive to the\nrecommendation. We agree that there is no need to report the noncompliance conditions if NASA\nHeadquarters corrects the deficiencies by September 30, 2000. However, NASA management has\nnot provided evidence to show that the significant noncompliance conditions we found no longer\nexist. Therefore, the recommendation is unresolved and undispositioned. We request that we be\nnotified when management completes the SMA system IT security plans so that we can review them.\n\n4. The Associate Administrator for Space Science should report to the Agency\'s Internal\nControl Council the Jet Propulsion Laboratory Federal noncompliance conditions as a\nsignificant area of concern to be included in NASA\'s annual Federal Managers\' Financial\nIntegrity Act statement of assurance.\n\nManagement\'s Response. Partially concur. Management agrees that JPL should have IT security\nplans. However, this is a contractual issue and not a Federal Managers\' Financial Integrity Act issue.\nBecause of JPL\'s status as a contractor-operated installation, JPL does not participate in the\nAgency\'s internal control process. The Agency\'s contractual relationship with the California Institute\nof Technology, which manages JPL, provides for assessments of contractor performance through the\nmechanism of semiannual performance evaluations.\n\nEvaluation of Management\'s Response. Management\'s comments are not responsive to the\nrecommendation. We recognize that JPL is a contractor and does not participate in the Agency\'s\ninternal control process. The NASA officials who manage the programs that JPL conducts do\nparticipate in the Agency\'s internal control process and are required to report significant areas of\nconcern for their area of responsibility. JPL manages a significant amount of NASA\'s IT resources.\nThe logical extension of management\'s position is that no deficiencies in any of NASA\'s IT systems\nthat are managed by contractors are reportable. This is not the case. OMB Circular A-130 and\nNPG 2810.1 hold NASA managers responsible for\n\n\n                                                  8\n\x0cthe security of Government information technology systems. We request that management\nreconsider its position and provide additional comments. The recommendation is unresolved and\nundispositioned.\n\n5. The Director, John H. Glenn Research Center at Lewis Field, should report to the\nAssociate Administrator for Aerospace Technology the Glenn Federal noncompliance\nconditions as a significant area of concern to be included in NASA\'s annual Federal\nManagers\' Financial Integrity Act statement of assurance.\n\nManagement\'s Response. Concur. Glenn has already reported this condition in its\nAugust 15, 2000, Federal Managers\' Financial Integrity Act annual statement of assurance. Glenn\nhas a project plan in place to complete all of its SMA system IT security plans by September 30,\n2000, and all the remaining IT system security plans by September 30, 2002.\n\nEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved and dispositioned.\n\nThe Director, Goddard Space Flight Center, should:\n\n   6. Report to the Associate Administrator for Earth Science the major IT system\nFederal noncompliance conditions as a significant area of concern to be included in NASA\'s\nannual Federal Managers\' Financial Integrity Act statement of assurance.\n\nManagement\'s Response. Concur. The Director\'s Statement of Assurance to the Associate\nAdministrator for Earth Science highlights IT security as one of three areas for special discussion.\nThe Statement of Assurance discusses many actions that Goddard is taking to improve IT security.\nThese actions include addressing, in particular, the IT security issues identified in this report.\n\nEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved and dispositioned.\n\n   7. Expedite the development and implementation of the required security plans,\ncontingency plans, and risk assessments for the major IT system.\n\nManagement\'s Response. Concur. Each of the specified elements of this major information\nsystem will deliver a comprehensive security plan, contingency plan, and risk assessment to the major\nelement IT Security Official by the end of the calendar year. The major element IT Security Official\nwill present these plans and assessments to the Goddard Chief Information Officer for his review.\n\nEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open until\nagreed-to corrective actions are completed.\n\n\n\n                                                  9\n\x0c8. The Director, Langley Research Center, should report to the Associate Administrator\nfor Aerospace Technology the Langley Federal noncompliance conditions as a significant\narea of concern to be included in NASA\'s annual Federal Managers\' Financial Integrity\nAct statement of assurance.\n\nManagement\'s Response. Partially concur. All Langley SMA system plans are scheduled for\ncompletion by September 30, 2000. With the completion of these plans, there is no need to report\nnoncompliance conditions as a significant concern to be included in NASA\'s annual Federal\nManagers\' Financial Integrity Act statement of assurance.\n\nEvaluation of Management\'s Response. Management is not fully responsive to the\nrecommendation. As stated in our response to management\'s comments on recommendation 3, we\nagree that there is no need to report the noncompliance conditions if Langley corrects the\ndeficiencies by September 30, 2000. However, NASA management has not provided evidence that\nshows the significant noncompliance conditions we found no longer exist. Therefore, the\nrecommendation is unresolved and undispositioned. We request that we be notified when\nmanagement completes the SMA IT security plans so that we can review them.\n\n\n\n\n                                               10\n\x0cFinding B. Personnel Screening\n\nThe personnel screening requirements in NPG 2810.1 do not comply with OMB Circular A-130.\nThe NPG does not require periodic screening of individuals who can bypass system security controls\nor initial and periodic screening of individuals when applications or the information in the application\nare not adequately protected because managers did not use other controls, such as, individual\naccountability or when the controls do not provide adequate security for mission information\nsystems.10 This occurred because NASA management overlooked the Circular A-130 requirements\nwhen it developed and approved the NPG. As a result, the security of all NASA IT systems may be\ndegraded.\n\nFederal Policies and Procedures\n\nOMB Circular A-130, Appendix III, requires that security plans for general support IT systems (see\ndetails in footnote 6) include screening individuals who are authorized to bypass significant technical\nand operational security controls of a system commensurate with the risk and magnitude of harm\nthese individuals could cause. Such screening shall occur before an individual is authorized to bypass\ncontrols and periodically thereafter.\n\nOMB Circular A-130, Appendix III, also requires that IT security plans for major applications (see\ndetails in footnote 7) incorporate controls such as separation of duties, least privilege 11 and individual\naccountability into the application and application rules of behavior, as appropriate. When such\ncontrols cannot adequately protect the application or information in the application, individuals should\nbe screened commensurate with the risk and magnitude of the harm they could cause. Such\nscreening shall be done before an individual is authorized to access the application and periodically\nthereafter.\n\nExisting NASA Policy\n\nNPG 2810.1 does not adequately address the personnel screening requirements in OMB Circular\nA-130. The NPG requires an initial screening of individuals who are authorized to bypass significant\ntechnical and operational controls of IT systems, but does not require additional periodic screening.\nFurther, the NPG does not require managers to require initial and periodic screening of individuals\nwhen applications or the information in the application are not adequately protected because line\nmanagers did not use other controls such as individual accountability or the controls do not provide\nsufficient protection.\n\nPersonnel screening is particularly important because NASA does not always use individual\naccountability as a system control. Appendix A of the NPG discourages but permits the use of\n10\n   Mission information systems contain information, software applications, or computer systems that if altered, destroyed, or\nunavailable, could have a catastrophic effect on NASA. Mission information systems include systems that control or directly\nsupport human space flight and space vehicle operations.\n11\n   Least privilege is the practice of restricting a user\'s access (to data files, to processing capability, or to peripherals) or type\nof access (for example read, write, execute, delete) to the minimum necessary to perform his or her job.\n\n                                                                 11\n\x0cgroup user ID\'s on all categories of information systems, including mission information systems.\nWhen an individual logs on12 to a system using a group user ID,13 the system has no way of\ndetermining a specific individual. Consequently, individual accountability is lost for that session.\nDuring this and previous audit work, we identified two mission information systems that are using\ngroup user ID\'s. One system supports human space flight; the other system supports space vehicle\noperations. The daily use of group user ID\'s is a significant security risk that degrades the security of\nmission systems.\n\nRecommendations for Corrective Action\n\nThe NASA Chief Information Officer should revise NPG 2810.1 to comply with OMB\nCircular A-130 requirements. Specifically, the NPG should be revised to require:\n\n  9. Periodic screening of individuals who are authorized to bypass significant technical\nand operational controls of IT systems.\n\nManagement\'s Response. Concur. Compliance with OMB A-130 will be addressed in the next\nrevision of NPG 2810.\n\nEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open until\nagreed-to corrective actions are completed.\n\n   10. Initial and periodic screening of all individuals commensurate with the risk and\nmagnitude of the harm they could cause when applications or the information in the\napplication are not adequately protected because line managers did not use other controls\nsuch as individual accountability or the controls do not provide sufficient protection.\n\nManagement\'s Response. Concur. Compliance with OMB A-130 will be addressed in the next\nrevision of NPG 2810.\n\nEvaluation of Management\'s Response. Management\'s actions are responsive to the\nrecommendation. The recommendation is resolved but will remain undispositioned and open until\nagreed-to corrective actions are completed.\n\n\n\n\n12\n  NPG 2810.1 defines logon as "the identification and authentication sequence that authorizes a user\'s access to the system."\n13\n  A group user identification is a system identification that is shared among a group of individuals for logging in to a\ncomputer, application, or set of files.\n\n\n\n\n                                                             12\n\x0c                    Appendix A. Objectives, Scope, and Methodology\n\nObjectives\n\nThe overall objective was to determine whether NASA has established and implemented effective\npolicies and procedures for IT security planning in accordance with OMB Circular A-130.\nSpecifically, we determined whether the Agency has developed adequate security plans for general\nsupport IT systems, major applications, and publicly accessible Web sites (see details on these\nsystems in footnotes 6, 7, and 2).\n\nWe announced that we would also determine whether the Agency established effective IT security\nplanning processes as an integral part of its strategic information resources management program.14\nThe audit announcement stated that we will review the:\n\n\xe2\x80\xa2    IT security planning metrics developed for reporting under the Government Performance and\n     Results Act;\n\n\xe2\x80\xa2    management actions taken on the recommendations from the GAO report number GAO/AIMD-\n     99-47, "Information Security, Many NASA Mission-Critical Systems Face Serious Risks"; and\n\n\xe2\x80\xa2    management actions taken on the recommendations from NASA\'s internal "Information\n     Technology Security Program Review."\n\nWe will cover these elements in the next phase of continuing audit field work and will address them in\na subsequent report(s).\n\nScope\n\nWe performed work at NASA Headquarters, Ames, Glenn, Goddard, JPL, Kennedy, Johnson,\nLangley, and Marshall. We reviewed a sample of 38 IT system security plans for SMA systems and\na sample of 30 IT system security plans for computers that host publicly accessible Web sites. We\ninterviewed NASA and contractor personnel to identify policies and procedures related to IT\nsecurity planning and authorizations to process. We also reviewed IT system security plans to\ndetermine whether the plans contained the information required by OMB Circular A-130. We\ndetermined whether each IT system in our samples had a current authorization to process. We did\nnot perform detailed testing to determine the adequacy or effectiveness of the security measures or\nthe accuracy of the information in each IT system security plan. We did not use computer-\nprocessed data in the audit.\n\n14\n  The audit announcement stated that we would determine whether the Agency has implemented an adequate strategic\ninformation resources management plan that incorporates the system security plans for general support systems and major\napplications. We cancelled this objective because the underlying requirement has been deleted by the Information Technology\nReform Act of 1996.\n\n\n                                                            13\n\x0cAppendix A\n\nWe are separately reviewing NASA\'s implementation of Presidential Decision Directive 63,\n"Protecting American\'s Critical Infrastructures," dated May 22, 1998, under audit assignment\nA0003200, "Review of NASA\xe2\x80\x99s Planning and Implementation for Presidential Decision Directive\n63." The objectives of this review are to determine whether NASA has developed an effective plan\nfor protecting its critical cyber-based infrastructure, identified its critical assets, and adequately\nassessed vulnerabilities.\n\nMethodology\n\nWe developed two universes of IT system security plans. The first universe consisted of the system\nsecurity plans for the SMA IT systems at eight audit locations, which are listed in the table that\nfollows this section. The second universe consisted of the IT system security plans for the computers\nat the eight audit locations that hosted publicly accessible Web sites. We used random sampling to\nselect five IT system security plans for SMA systems and five security plans for computers that\nhosted publicly accessible Web sites at each of the eight audit locations. When there were fewer\nthan five IT security plans for Web site host computers at a location, we reviewed all the plans. We\nintended to review a sample of the IT security plans at JPL, but we learned during the initial data\ngathering process that JPL had no security plans for any of its IT systems.\n\nSome Centers identified the security plans for each SMA system and Web site host computer.\nWhen Centers did not identify the IT security plans for their systems, we assumed there was one IT\nsecurity plan for each SMA system and one IT security plan for each Web site host computer. After\nwe started the field work, we learned that some SMA systems had several security plans. Each plan\ncovered one or more of the system elements. When this situation occurred, we judgmentally\nselected one of the plans for review. For example, the Space Network Systems at Goddard has\nthree IT security plans that cover four major components. We selected the security plan for the\nNetwork Control Center for review.\n\n\n\n\n                                                  14\n\x0c                                                                                                           Appendix A\n\nThe table below shows the number of sampled IT security plans relative to the universe of SMA\nsystems and Web site host computers.\n\n                                             Number of Plans1               Plans Sampled\n                                                     Web Site                      Web Site\n                                            SMA         Host                         Host\n                        Center             Systems Computers              SMA Computers\n                     Ames                      6         24                 5        72\n                     Goddard                 32          60                 53       5\n                     Glenn                   17          34                 5        5\n                     Headquarters            14          14                 5        5\n                     Johnson                 23          25                 5        05\n                     Kennedy                 17          34                 5        44\n                     Langley                 31           1                 5        1\n                                                                              5\n                     Marshall                37           3                 3        3\n                     Total                  177         195                38       30\n\n1\n There is no direct correlation between the number of IT security plans and the number of SMA systems or Web site host\ncomputers. Some IT security plans covered more than one SMA system or Web site host computer. Three of the SMA\nsystems in the samples had several security plans. Because we did not make additional inquiries for each system, there may\nbe more SMA IT security plans than shown in the table.\n\n2\n We judgmentally added two more Web site host computers to the sample at Ames because of the large number of Web sites\non the computers.\n\n3\n After we started our field work, we learned that there was more than one IT system security plan for three of the SMA\nsystems in our Goddard sample. We judgmentally selected one of the plans for each system for review.\n\n4\n We initially selected a sample of five Web site host computer IT system security plans. Kennedy had difficulty in locating\none of the plans. After we completed our visit to Kennedy, we learned that two of the Web sites were on the same computer.\nTherefore, we reduced the sample size for Kennedy.\n\n5\n    We reduced the sample due to resource and time constraints.\n\n\nManagement Controls Reviewed\n\nWe reviewed Federal and NASA policies and procedures relating to IT security planning to\ndetermine whether NASA\'s IT security policies and system security plans were adequate. We\nidentified a potential material management control weakness (Finding A) and other management\ncontrol weaknesses (Finding B), which are discussed in the Findings section of the report.\n\n\n\n\n                                                              15\n\x0cAppendix A\n\nAudit Field Work\n\nWe performed field work from March through July 2000 at NASA Headquarters, Ames, Glenn,\nGoddard, Johnson, Langley, Kennedy, and Marshall. We performed the audit in accordance with\ngenerally accepted auditing standards. In addition, we collected information from JPL.\n\nPrior Audit Coverage\n\nThe GAO issued an audit report titled "Information Security, Many NASA Mission-Critical Systems\nFace Serious Risks," Report Number GAO/AIMD-99-47, May 1999. The GAO found that\nNASA was not effectively and consistently managing IT security throughout the agency. NASA\'s IT\nsecurity program did not include key elements of a comprehensive IT security management program.\nSpecifically, NASA:\n\n               \xe2\x80\xa2   did not effectively assess risks or evaluate needs. One hundred thirty-five of the\n                   155 mission-critical systems that we reviewed did not meet all of NASA\'s\n                   requirements for risk assessments.\n\n               \xe2\x80\xa2   did not effectively implement policies and controls. NASA\'s guidance did not\n                   specify what information can be posted on public World Wide Web sites nor\n                   how mission-critical systems should be protected from well-known Internet\n                   threats.\n\n               \xe2\x80\xa2   was not monitoring policy compliance or the effectiveness of controls. NASA\n                   had not conducted an agency-wide review of IT security at its 10 field centers\n                   since 1991. Furthermore, the security of 60 percent of the systems that we\n                   reviewed had not been independently audited.\n\n               \xe2\x80\xa2   was not providing required computer security training. NASA had no structured\n                   security training curriculum.\n\n               \xe2\x80\xa2   did not centrally coordinate responses to security incidents. NASA field centers\n                   were not reporting incidents to the NASA Automated Systems Incident\n                   Response Capability.\n\n               NASA management is aware that its IT security program needs improvement.\n               Accordingly, in May 1998 NASA initiated a special review of its IT security\n               program. The review identified a number of shortcomings that were consistent with\n               our findings. Although NASA is planning to address these shortcomings, at the time\n               of our review, few of the special review\'s recommendations had been implemented.\n\n\n\n\n                                                       16\n\x0c    Appendix B. Federal Guidance on Information Technology Security\n\nOMB Circular A-130, "Management of Federal Information Resources." Circular A-130\nprovides uniform management policies on Governmentwide information resources. Appendix III of\nthe Circular establishes a minimum set of controls to be included in Federal automated information\nsecurity programs.\n\nOMB Circular A-130, Appendix III, paragraph A.3.a., requires that agency programs include the\nfollowing controls in their general-support systems and major applications:\n\n               a. Controls for general support systems.\n\n                  1)    Assign responsibility for security in each system to an individual\n                        knowledgeable in the IT used in the system and in providing security for\n                        such technology.\n\n                  2)    Plan for adequate security of each general support system as part of the\n                        organization\'s information resources management (IRM) planning process.\n                        Security plans shall include:\n\n                       a)   Rules of the System. Establish a set of rules of behavior concerning use\n                            of, security in, and the acceptable level of risk for, the system. The rules\n                            shall be based on the needs of the various users of the system. The rules\n                            shall be only as stringent as necessary to provide adequate security for\n                            information in the system.            Such rules shall clearly delineate\n                            responsibilities and expected behavior of all individuals with access to the\n                            system. They shall also include appropriate limits on interconnections\n                            to other systems and shall define service provision and restoration\n                            priorities. Finally, they shall be clear about the consequences of behavior\n                            not consistent with the rules.\n\n                       b)   Training. Ensure that all individuals are appropriately trained in how to\n                            fulfill their security responsibilities before allowing them access to the\n                            system. Such training shall assure that employees are versed in the rules\n                            of the system, be consistent with guidance issued by NIST and OPM\n                            [Office of Personnel Management]. Behavior consistent with the rules of\n                            the system and periodic refresher training shall be required for continued\n                            access to the system.\n\n                       c)   Personnel Controls. Screen individuals who are authorized to bypass\n                            significant technical and operational security controls of the system\n                            commensurate with the risk and magnitude of harm they could cause.\n                            Such screening shall occur before an individual is authorized to bypass\n                            controls and periodically thereafter.\n\n\n\n\n                                                          17\n\x0cAppendix B\n\n                    d)   Incident Response Capability. Ensure that there is a capability to\n                         provide help to users when a security incident occurs in the system and\n                         to share information concerning common vulnerabilities and threats. This\n                         capability shall share information with other organizations, consistent\n                         with NIST coordination, and should assist the agency in pursuing\n                         appropriate legal action, consistent with Department of Justice guidance.\n\n                    e)   Continuity of Support. Establish and periodically test the capability to\n                         continue providing service within a system based upon the needs and\n                         priorities of the participants of the system.\n\n                    f)   Technical Security. Ensure that cost-effective security products and\n                         techniques are appropriately used within the system.\n\n                    g)   System Interconnection. Obtain written management authorization,\n                         based upon the acceptance of risk to the system, prior to connecting with\n                         other systems. Where connection is authorized, controls shall be\n                         established which are consistent with the rules of the system and in\n                         accordance with guidance from NIST.\n\n               3)   Review of Security Controls. Review the security controls in each system\n                    when significant modifications are made to the system, but at least every three\n                    years. The scope and frequency of the review should be commensurate with\n                    the acceptable level of risk for the system. Depending on the potential risk\n                    and magnitude of harm that could occur, consider identifying a deficiency\n                    pursuant to OMB Circular No. A-123, "Management Accountability and\n                    Control" and the Federal Managers\' Financial Integrity Act (FMFIA), if there\n                    is no assignment of security responsibility, no security plan, or no\n                    authorization to process for a system.\n\n               4)   Authorize Processing. Ensure that a management official authorizes in writing\n                    the use of each general support system based on implementation of its\n                    security plan before beginning or significantly changing processing in the\n                    system. Use of the system shall be re-authorized at least every three years.\n\n             b. Controls for Major Applications.\n\n               1)   Assign Responsibility for Security. Assign responsibility for security of each\n                    major application to a management official knowledgeable in the nature of the\n                    information and process supported by the application and in the management,\n                    personnel,\n\n\n\n\n                                                     18\n\x0c                                                                                          Appendix B\n\n     operational, and technical controls used to protect it. This official shall assure\n     that effective security products and techniques are appropriately used in the\n     application and shall be contacted when a security incident occurs concerning\n     the application.\n\n2)   Application Security Plan. Plan for the adequate security of each major\n     application, taking into account the security of all systems in which the\n     application will operate. The plan shall be consistent with guidance issued by\n     NIST. Advice and comment on the plan shall be solicited from the official\n     responsible for security in the primary system in which the application will\n     operate prior to the plan\'s implementation. Application security plans shall\n     include:\n\n     a)   Application Rules. Establish a set of rules concerning use of and\n          behavior within the application. The rules shall be as stringent as\n          necessary to provide adequate security for the application and the\n          information in it. Such rules shall clearly delineate responsibilities and\n          expected behavior of all individuals with access to the application. In\n          addition, the rules shall be clear about the consequences of behavior not\n          consistent with the rules.\n\n     b)   Specialized Training. Before allowing individuals access to the\n          application, ensure that all individuals receive specialized training focused\n          on their responsibilities and the application rules. This may be in\n          addition to the training required for access to a system. Such training\n          may vary from a notification at the time of access (e.g., for members of\n          the public using an information retrieval application) to formal training\n          (e.g., for an employee that works with a high-risk application).\n\n     c)   Personnel Security. Incorporate controls such as separation of duties,\n          least privilege and individual accountability into the application and\n          application rules as appropriate. In cases where such controls cannot\n          adequately protect the application or information in it, screen individuals\n          commensurate with the risk and magnitude of the harm they could cause.\n          Such screening shall be done prior to the individuals\' being authorized to\n          access the application and periodically thereafter.\n\n     d)   Contingency Planning. Establish and periodically test the capability to\n          perform the agency function supported by the application in the event of\n          failure of its automated support.\n\n\n\n\n                                        19\n\x0cAppendix B\n\n                  e)   Technical Controls. Ensure that appropriate security controls are\n                       specified, designed into, tested, and accepted in the application in\n                       accordance with appropriate guidance issued by NIST.\n\n                  f)   Information Sharing. Ensure that information shared from the application\n                       is protected appropriately, comparable to the protection provided when\n                       information is within the application.\n\n                  g)   Public Access Controls. Where an agency\'s application promotes or\n                       permits public access, additional security controls shall be added to\n                       protect the integrity of the application and the confidence the public has\n                       in the application. Such controls shall include segregating information\n                       made directly accessible to the public from official agency records.\n\n             3)   Review of Application Controls. Perform an independent review or audit of\n                  the security controls in each application at least every three years. Consider\n                  identifying a deficiency pursuant to OMB Circular No. A-123, "Management\n                  Accountability and Control" and the Federal Managers\' Financial Integrity Act\n                  if there is no assignment of responsibility for security, no security plan, or no\n                  authorization to process for the application.\n\n             4)   Authorize Processing. Ensure that a management official authorizes in writing\n                  use of the application by confirming that its security plan as implemented\n                  adequately secures the application. Results of the most recent review or audit\n                  of controls shall be a factor in management authorizations. The application\n                  must be authorized prior to operating and re-authorized at least every three\n                  years thereafter. Management authorization implies accepting the risk of each\n                  system used by the application.\n\n\n\n\n                                                    20\n\x0c                       Appendix C. Material Control Weakness\n\nOMB Circular A-123 requires agencies to test and report annually on the adequacy of organizational\nmanagement controls. Agency managers and employees should report any deficiencies in\nmanagement controls if the deficiency is or should be of interest to the next level of management.\nAgency employees and managers generally report deficiencies to the next supervisory level, which\nallows the chain of command structure to determine the relative importance of each deficiency.\n\nThe Circular states:\n\n                A deficiency that the agency head determines to be significant enough to be reported\n                outside the agency (i.e. included in the annual Integrity Act report to the President\n                and the Congress) shall be considered a "material weakness." This designation\n                requires a judgment by agency managers as to the relative risk and significance of\n                deficiencies. Agencies may wish to use a different term to describe less significant\n                deficiencies, which are reported only internally in an agency. In identifying and\n                assessing the relative importance of deficiencies, particular attention should be paid to\n                the views of the agency\'s IG.\n\n\nNASA Policy Directive 1200.1A, "Internal Management Controls and Audit Liaison and Followup,"\ndated June 1, 2000, requires managers to identify and recommend significant areas of management\nconcern that may be the result of weak, inadequate, or unenforced management controls. Center\nDirectors forward significant areas of concern to their Institutional Program Office Associate\nAdministrator. The Associate Administrators report their concerns to the Administrator.\nHeadquarters Officials in Charge submit significant areas of management concern to the Internal\nControl Council, which makes recommendations to the Administrator. The NASA Inspector\nGeneral is an ex-officio member of the Internal Control Council and submits significant areas of\nconcern to the Council. The Administrator decides which concerns will be reported under the\nFederal Managers\' Financial Integrity Act.\n\n\n\n\n                                                          21\n\x0cAppendix D. Management\'s Response\n\n\n\n\n               22\n\x0c     Appendix D\n\n\n\n\n23\n\x0cAppendix D\n\n\n\n\n             24\n\x0c     Appendix D\n\n\n\n\n25\n\x0c                           Appendix E. Report Distribution\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAI/Associate Deputy Administrator\nAO/Chief Information Officer\nB/Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nH/Associate Administrator for Procurement\nHK/Director, Contract Management Division\nHS/Director, Program Operations Division\nJ/Associate Administrator for Management Systems\nJM/Acting Director, Management Assessment Division\nL/Associate Administrator for Legislative Affairs\nM/Associate Administrator for Space Flight\nR/Associate Administrator for Aerospace Technology\nS/Associate Administrator for Space Science\nY/Associate Administrator for Earth Science\n\nNASA Centers\n\nDirector, Ames Research Center\n Chief Information Officer, Ames Research Center\nDirector, John H. Glenn Research Center at Lewis Field\n Chief Information Officer, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\n Chief Information Officer, Goddard Space Flight Center\nDirector, Jet Propulsion Laboratory\n Chief Information Officer, Jet Propulsion Laboratory\nDirector, Lyndon B. Johnson Space Center\n Chief Information Officer, Lyndon B. Johnson Space Center\nDirector, John F. Kennedy Space Center\n Chief Information Officer, John F. Kennedy Space Center\n Chief Counsel, John F. Kennedy Space Center\nDirector, Langley Research Center\n Chief Information Officer, Langley Research Center\nDirector, George C. Marshal Space Flight Center\n Chief Information Officer, George C. Marshal Space Flight Center\n\n\n\n                                               26\n\x0c                                                                                     Appendix E\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nDeputy Associate Director, Energy and Science Division, Office of Management and\n Budget\nBranch Chief, Science and Space Programs Branch, Energy and Science Division, Office\n of Management and Budget\nAssociate Director, National Security and International Affairs Division, Defense\n Acquisitions Issues, General Accounting Office\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\n\nChairman and Ranking Minority Member \xe2\x80\x93 Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Subcommittee on Government Management, Information, and Technology\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics, Committee on Science\n\nCongressional Member\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                               27\n\x0c                  NASA Assistant Inspector General for Auditing\n                                 Reader Survey\n\n\nThe NASA Office of Inspector General has a continuing interest in improving the usefulness of our\nreports. We wish to make our reports responsive to our customers\xe2\x80\x99 interests, consistent with our\nstatutory responsibility. Could you help us by completing our reader survey? For your convenience,\nthe questionnaire can be completed electronically through our homepage at\nhttp://www.hq.nasa.gov/office/oig/hq/audits.html or can be mailed to the Assistant Inspector General\nfor Auditing; NASA Headquarters, Code W, Washington, DC 20546-0001.\n\n\n\nReport Title: System Information Technology Security Planning\n\nReport Number:                                   Report Date:\n\n\n                  Circle the appropriate rating for the following statements.\n\n\n                                                 Strongl                              Strongl\n                                                    y      Agree   Neutra   Disagre   y         N/A\n                                                  Agree              l         e      Disagre\n                                                                                         e\n1. The report was clear, readable, and              5        4       3         2         1      N/A\n\n   logically organized.\n2. The report was concise and to the point.         5        4       3         2         1      N/A\n\n3. We effectively communicated the audit            5        4       3         2         1      N/A\n\n   objectives, scope, and methodology.\n4. The report contained sufficient information      5        4       3         2         1      N/A\n\n   to support the finding(s) in a balanced and\n   objective manner.\n\nOverall, how would you rate the report?\n\n    Excellent            Fair\n    Very Good            Poor\n    Good\n\nIf you have any additional comments or wish to elaborate on any of the above responses,\nplease write them here. Use additional paper if necessary.\n\x0cHow did you use the report?\n\n\n\n\nHow could we improve our report?\n\n\n\n\nHow would you identify yourself? (Select one)\n\n      Congressional Staff                       Media\n      NASA Employee                             Public Interest\n      Private Citizen                           Other:\n      Government:             Federal:             State:         Local:\n\n\nMay we contact you about your comments?\n\nYes: ______                               No: ______\nName: ____________________________\nTelephone: ________________________\n\x0cMajor Contributors to the Report\n\nGregory B. Melson, Program Director, Information Assurance Audits\n\nErnest L. Willard, Audit Program Manager\n\nJames W. Geith, Auditor-in-Charge\n\nKathleen M. Kirby, Auditor\n\nKenneth E. Sidney, Auditor\n\nBrenda K. Stepps, Auditor\n\nNancy C. Cipolla, Report Process Manager\n\x0c'